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About this Guide 
About Qualys 


About this Guide 


Welcome to Qualys Patch Management! We'll help you get acquainted with the Qualys 
solutions for patching your systems using the Qualys Cloud Security Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alhance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 
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Patch Management Overview 


Qualys Patch Management provides a comprehensive solution to manage vulnerabilities 
in your system and deploy patches to secure these vulnerabilities as well as keep your 
assets upgraded. The Qualys Vulnerability Management, Detection, and Response (VMDR) 
module enables you to discover, assess, prioritize, and identify patches for critical 
vulnerabilities. The Patch Management module helps you save time and effort by 
automating patch management on Windows and Linux assets using a single patch 
management application. It provides instant visibility on patches available for your asset 
and allows you to automatically deploy new patches as and when they are available. 


The Windows Cloud Agent downloads the required patches from external sources. 
However, patches that require authentication cannot be downloaded by the agent. You 
can manually download and install such patches on the assets. Qualys Patch 
Management will then identify these patches as installed. The Linux Cloud Agent access 
the patches from the YUM repository and deploys the patches to the Linux assets in Patch 
Management. 


Note: Qualys Patch Management 1.5 supports Linux assets for Patch Management. 


Qualys Subscription and Modules required 


You would require Patch Management (PM) module enabled for your account. 


System support 
Patch Management supports installing patches on Windows and “Linux systems. 


Note: * Currently, you can deploy patch jobs only on Linux assets for RHEL version 6, 7, 8, 
CentOS 6 and 7, Oracle Linux 6, 7, 8, Amazon Linux, and Amazon Linux 2. 


Patch Management Process Workflow 


Follow these steps to get started with Patch Management. 


Download Whitelist 


Patch 


Install Cloud 


Procure Patch Cloud Agents Activate PM 


Agent on Review Job 


Management for Windows Hi Module on all 


License and Linux : Assets 
Linux Assets 


Deploy Jobs 


Download Results 


URLs 


Assets 


Agent Installation and Configuration 
Installing Cloud Agents on Assets 
Enabling PM in a CA configuration profile (using the CA app) 


User Roles and Permissions 


Deploy Patches 


Creating Assessment Profiles for Windows Assets 


Patch Management Overview 
Patch Management features 


Reviewing Missing and Installed Windows Patches 
Deploying Patches Jobs on Windows Assets 
Deploying Patches Jobs on Linux Assets 

Reviewing Job Results 

Uninstall Windows Patches 


Creating Assessment Profiles for Windows Assets 
Reviewing Missing and Installed Windows Patches 
Uninstalling Patches from Windows Assets 


Reviewing Job Results 


Patch Management features 


Qualys Patch Management provides a comprehensive solution for patching assets with the 
following features: 


- Deploy patches for Windows and Linux assets 

- Schedule run-once or recurring jobs for Windows and Linux assets 

- Clone and edit Windows and Linux jobs 

- View patches, assets, and job details for Windows and Linux systems 
- Review missing and installed patches for Windows assets 

- Download Windows patches from the vendor site 

- Create custom Assessment Profile for Windows assets 

- Use QQL to automate patch selection for Windows deployment job 

- Export patch data for Windows assets 

- Uninstall patches from Window assets 


- Create custom dashboards and widgets for Windows assets 


User Roles and Permissions 


Role-Based Access Control (RBAC) gives you the flexibility to control access to Patch 
Management features based on the roles of the individual users. 


Each user is assigned a pre-defined user role which determines what actions the user can 
take. These roles are exclusive to the Patch Management module only. The roles defined in 
other modules have NO correlation with that defined in Patch Management. 


Patch Management Overview 
User Roles and Permissions 


We have the following five out-of-the-box (OOTB) roles for PM users. Each role, except 
Patch Security, is an incremental role to the previous one. Let's understand the user roles 
and permissions. 


Roles Description 

Patch Reader Default role that allows users to view: 
- Assigned jobs 
- Assessment profiles 
- Dashboards 


Patch Dashboard Author - Includes the Patch Reader permissions 
- Allows a user to develop dashboards 
- Does not allow the user to manage patching jobs 


Patch User - Includes the Patch Dashboard Author permissions 
- Allows users to manage patching activities 
- Build dashboards for reporting information 


Patch Manager - Includes all permissions except create job advisory 


Patch Security - This role is mutually exclusive from the other roles. 
- Meant for Security experts or Security operations (SecOps) 
- Allows the user to select patches and create a partially configured 
job which needs to be assigned to a Patch User or Patch Manager to 
add a job owner 
- Cannot edit any job 


Note: We do not recommend that you create custom roles for the Patch Management 
users by assigning or removing permissions available through the default roles. Such 
customization of roles or change of permissions might cause the user roles to not work as 
per the design. 


For Patch Management, we refer to the Global Dashboard Permissions to determine what 
operations a user can perform on the Unified Dashboard. The Global Dashboard 
Permissions will only allow the Patch Manager, Patch User, and Patch Dashboard Author to 
create, edit, and delete their own dashboards. For permissions to edit, delete other users 
dashboard and print or download a dashboard, contact SuperUser or Administrator. 


Fallback to free version 


Patch Management will revert to the Free version after your Trial or Full subscription 
expires. Existing scan intervals of less than 24 hours will get converted to intervals of 24 
hours. Your existing jobs will be disabled and you can re-enable them once you renew 
your subscription. 


The free version allows you to create assessment profiles with a minimum scan interval of 
24 hours and see a list of missing and installed patches on the assets in your environment. 
It doesn't allow creating deployment/uninstall jobs. 


Installing Cloud Agents on Assets 


Installing Cloud Agents on Assets 


Patch Management allows you to manage your Windows and Linux assets. You must 
install and configure Cloud Agents to enable Patch Management to deploy patches jobs. 


Agent installations are managed on the Cloud Agent (CA) app. 


Let's get started! 
Choose CA (Cloud Agent) from the app picker. 


As a first time user, you ll land directly on the Getting Started page. 


© Qualys. 


Cloud Agent v 


Administration 
Manage Application Users and Permissions 
AssetView 

AV Asset Management, Tagging, and Search 


Stay updated with network security by deploying 
agents on your hosts 
Vulnerability Management 
VM Automated Host Security Assessment and Reporting 
ument IT Security Compliance 
Patch Management 
Deploy patches to your systems 
Threat Protection 
Add threat intelligence feed to your existing AssetViev 


What are the steps? 


Create an activation key. Go to Activation Keys, click the New Key button. Give it a title, 
provision for the PM application and click Generate. 


Cloud Agent v 


Dashboard Agent Management 


æ Agent Management VOIE Activation Keys 


| Status Active w|] Enabled Yes w | 


Installing Cloud Agents on Assets 
Downloading Installer 


As you can see, you can provision the same key for any of the other applications in your 


account. 


New Activation Key 


Create a new activation key 


Tum help tips: On | Off 


x 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title CA_On_VM209| 


Select | Create 


(no tags selected) 


Provision Key for these applications 


VM Vulnerability Management PC Policy Compliance 
H 10 Licenses Remaining = 10 Licenses Remaining 


Patch Management 
1 Licenses Remaining 


Select the Network 


Global Default Network 


C Set limits 


Downloading Installer 


Click Install instructions next to Windows (.exe) or Linux (.rpm). 


New Activation Key 


Turn help tips: On | Off x 


New activation key generated successfully 


Installation Requirements 


WM Windows 
BM (exe) 


EE Windows 
MM (exe) 


Linux 
(.rpm) 


A Linux 
(.rpm) 
© Linux 
(.deb) 


Close 


Click here for Windows 


x86-32/64 Microsoft — "7 


Microsoft Windows Server 


Microsoft Windows Client 


ARM64 Microsoft Windows Server 
Red Hat Enterprise Linux 
CentOS 
Fedora 

x64 OpenSUSE 


SUSE Enterprise Linux 
Amazon Linux 
Oracle Enterprise Linux 


Red Hat Enterprise Linux 
ARM64 CentOS 
Amazon Linux 


Debian 


x64 Ubuntu 


Click here for Linux 


| Install instructions | 


| Install instructions 


| Install instructions 


| Install instructions | 


| Install instructions | 


Installing Cloud Agents on Assets 
Downloading Installer 


Review the installation requirements and click Download. 


You Il run the installer on each system from an elevated command prompt, or use a 
systems management tool or Windows group policy. Your agents should start connecting 
to our cloud platform 


For Windows agent: 


Install Agents x 
You are ready to install the agent. 


Current agent version: 2.2.0.162 
Hash-SHA-256 : f5e81ac2974389cdf85d0abf67370c3b108d25eea523c2b1b90aada3464e3513 


Deploying in Azure Cloud 


Windows Installation Requirements 
e Click here for the list of supported operation system versions. 
e To install the agent you must have local administrator privileges on your host. 
e Your host must be able to reach the Qualys Cloud Platform or the Qualys Private Cloud Platform over HTTPS port 


e Do you have a proxy? Learn more 
Steps to Install the Windows Agent 


Download the agent installer 
File will be saved to your downloads area, as defined by your local system. 


Copy QualysCloudAgent-2.2.0.162 .exe to the host you want to monitor and run command, or use group policy or a 
systems management tool. Click here to troubleshoot. 


Press CTRL-C to copy 
Copy and paste this command for installation: 


QualysCloudAgent-2.2.0.162 
.exe Customerld={9349fa48-7f02-f47b-815d-81b3d38959f4} ActivationId= 
{ 4ab639c2-d4b2-45bf-a65b-fbc7b4f7902d} F 


A 


Here's an example: 


For Linux agent, to enable patch installation on Linux assets, note the following: 


- Supported YUM file version 3.2.29. 

- YUM file must be configured with debugloglevel >= 2 Default is 2. 
- (Optional) The YUM file is configured with correct proxy settings. 
- The endpoint is subscribed for active Red Hat subscriptions. 


- The Agent must be running with root user or as sudo user. You can configure users by 
using the Agent configuration tool. 
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Installing Cloud Agents on Assets 
Downloading Installer 


New Activation Key Tum help tips: On | Off  % 


You are ready to install the agent. 


Linux (.rpm) Installation Requirements 


e Click here for the list of supported operation system versions. 
e Your host must be able to reach the Qualys Cloud Platform or the Qualys Private Cloud Platform over HTTPS port 
443. 
e To install the agent you must have 1) root privileges, 2) non-root with Sudo root delegation, or 3) non-root with 
sufficient privileges (VM only). 
e Do you have a proxy? Learn more 
Steps to Install the Linux Agent 


Download the agent installer (file size 5.74 MB) 
File will be saved to your downloads area, as defined by your local system. 


Copy QualysCloudAgent.rpm to the host you want to monitor and run commande Click here to troubleshoot. 
Press CTRL-C to 
copy 
Copy and paste this command for installation (sudo access required): 
sudo rpm -ivh QualysCloudAgent.rpm 
sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh 
ActivationId=c05e5fdb-56d3-4f46-bf82-26ce4776981a Customerld=dd89963b- 
b133-c850-8369-fec57d7de928 


Download .rpm 


Your host must be able to reach your Qualys Cloud Platform (or the Qualys Private Cloud 
Platform) over HTTPS port 443. On the Qualys Cloud Platform, go to Help > About to see 
the URL your host needs to access. For more information about connectivity 
requirements/proxy settings refer to the platform specific Cloud Agent Installation Guides 
available on https://www.qualys.com/documentation/. 


Note: Ensure that you whitelist the required URLs to allow the Cloud Agent to download 
the Windows patches on your host. Click here to view the list of URLs. 


AE 


Activating your agents for PM 


Dashboard Agent Management 


æ Agent Management Agents EEEL 


Actions (1) wv | Install New Agent 


Agent Host OS Version 
A WIN7PATCH69-85È% BE Windows 4.1.0.0 
View Asset Details 
Add Tags 


A éVish-Test2 
172.31.11.40, 0:0:0 


Assign Config Profile 
Activate Agent 
Deactivate Agent 
Uninstall Agent 


Activate for FIM or EDR or PM or SA 


Deactivate Agent for FIM or EDR or PM or SA 


Installing Cloud Agents on Assets 
Activating your agents for PM 


Go to the Agents tab, and from the 
Quick Actions menu of an agent, 
click Activate for FIM or EDR or 
PM or SA. (Bulk activation is 
supported using the Actions 
menu). 


Enabling PM in a CA configuration profile 


You can create a new profile or edit an existing one. The PM module is enabled by default. 


Configuration Profile Creation 


Turn help tips: On | Off x 


Step 10 of 11 


1 


2 


3 


General Info 


Blackout Windows —/ 


Performance 


Assign Hosts 


VM Scan Interval 


PC Scan Interval 


SCA Scan Interval 


Cancel 


SR RR HG ROR SS 


Patch Management 


Enable PM module for this profile CT ) 


Configuration 
These settings define operational setting for the agent 


Cache size 2048 


Cache size for download patches 


MB (512 - 10240) 
C Unlimited 


(re) CS 


The Cache size setting determines how much space the agent should allocate to store 
downloaded patches on the asset. The default allocated size is 2048 MB. If you are 
planning on using the opportunistic download, where an agent downloads patches before 
deployment, it is recommended to increase the cache size, or to allow for Unlimited Cache 
size. Note that the agent will clear the cached files after deployment. 


You're ready! 


Select PM from the application picker and then create a deployment job to start installing 
patches on your assets. 
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Installing Cloud Agents on Assets 
Managing PM Licenses 


Managing PM Licenses 


The Licenses tab, enabled only for paid subscribers, shows the number of licenses 
consumed by Patch Management (PM). You can include asset tags to allow patch installing 
and uninstalling on the assets contained in those asset tags. The Total Consumption 
counter may exceed 100% if the number of assets activated for PM are more than the 
number of PM licenses you have. Assets in the excluded asset tags are not considered for 
patch management and you cannot deploy patches on those assets. 


Note: In case the Total Consumption counter exceeds 100%, licenses will be consumed 
based on the asset activation time stamp in ascending order. 


Only admin and super users can manage licenses. Sub-users can only view the license 
information. 


Patch Management DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


Configuration elite Licenses 


License Consumption 


Patch Management 
Type: FULL 
Expiring in: 260 days on 29 Oct, 2020 05:29 AM 


License Details 
Licenses Purchased 


5 


Select assets for patch management 
Select asset tags to include or exclude for patch management. Total Consumption counter shows the number of licenses used 
based on the number of matching assets contained in the included asset tags 


Include Assets Tags Select Tags 


I LicensedTag Depth0 


v| Add Exclusion Asset Tags 


Exclude Assets Tags 


l UnlicensedTag 
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Using Tags to Grant Access to Assets 


Using Tags to Grant Access to Assets 


An asset tag is a tag assigned to one or more assets. Tag scopes define what assets the user 
can view when creating a Job or when user go to Assets tab in patch management. 


Assigning a tag to an asset enables you to grant users access to that asset by assigning the 
same tag to the users scope. Want to define tags? It's easy - Just go to the Asset 
Management (AM) application. 


To assign asset tags to the user, 


1) Go to the Administration module and then from the User Management tab search or 


select the user. 


2) From the Quick Actions menu, click Edit. 


Users Action Log 


G=] User Management User Management Role Management | 


Search for users by entering properties 
Actions (1) vw | Create User w 
| Username + Modules First Name 


Ed 


AV r A 
BA Quick Actions 
Unassigned Business Unit 


View 
PM 
af Edit Basic details i 
Unassigned Business Unit Add Tags 
Remove Tags 
E 


Add Tags To Scope 


Unassigned Business Unit Remove Tags From Scope 


3) On the User Edit screen, go to the Roles and Scopes tab. 


4) In the Edit Scope section, select one or more asset tags that you want to assign to the 
user. Then click Save. 


User Edit: Turn help tips: On | Off x 


Edit Mode Edit role(s) and scope 


User Details (C Allow user full permissions and scope (The user will have full access to everything) 


I Each role grants you a set of permissions that will apply to the objects you have access to 
Profile Settings 


Roles And Scopes 


Action Log 


| New role 


Assigned roles Remove all # Unassigned roles Add all # 


PATCH MANAGER Remove ADMINISTRATOR 
Account Activity AUDITOR 

CAAPI Access 

CA MANAGER 


CA UI Access 
Edit Scope 


C] Allow user view access to all objects (Other permissions are granted by the user's roles) 


Define what assets the user can access by tags 


Global Scope Select | Create | 


(no tags selected) 
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Using Tags to Grant Access to Assets 


Creating Assessment Profiles for Windows Assets 


Creating Assessment Profiles for Windows 
Assets 


You can create custom assessment profiles to add assets with specific tags and configure 
scan interval at which you want the cloud agent to collect patch information from the 
assets. This is an optional step. 


By default, your cloud agents scan for patches (missing and installed) at a specific 
interval, as defined in the default Assessment Profile. 


For Linux jobs, the patch scan is currently not supported and the installed and missing 
patches information is also not collected. Because of this reason, the assessment profiles 
are not applicable for Linux assets. 


What is the default assessment profile? 


At first, a default assessment profile is applied to all agents, which scans the assets at an 
interval of 24 hours for free subscription and 4 hours for trial/paid subscription. 


Adding a custom assessment profile 


Simply go to Configuration > Create Profile, provide a profile name, select asset tags to 
apply this custom profile to, and then select the scan interval (minimum 24 hours for free 
subscription and 4 hours for trial/paid subscription). Multiple assessment profiles can be 
created with different intervals. 


Note: Only admin users can create/modify/delete the assessment profiles. Non-admin 
users can only view assessment profiles. 


Scan interval of less than 24 hours will be automatically changed to an interval of 24 
hours, when a Paid or Trial subscription expires and the app gets converted into a free 
version. 


Good to Know - Asset tags once applied to one custom profile, cannot be applied to 
another custom profile. When you select an asset tag, corresponding child tags are 
automatically selected. Assets falling under more than one profile because of different 
tags will be assigned the default assessment profile. 


< Create: Assessment Profile 


STEPS 3/3 
Assessment Schedule 
à Basic Information Define the interval at which you want the cloud agent to collect patch information from 


the assets associated with this profile. This is synchronized with agent behavior. 
Assets 


Schedule 
Scan every hours 


| Cancel | Previous 
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Reviewing Missing and Installed Windows Patches 


Reviewing Missing and Installed Windows 
Patches 


The patch list under Patch Management patch catalog for Windows assets are the ones 
missing on the host which were detected using the Patch Management scan. You can view 
missing and installed patches on the Patches and Assets tab. The Patches tab show a key 
icon for patches that cannot be downloaded via the Qualys Cloud Agent. A key shaped 
icon indicates that the patch must be acquired from the vendor. 


On the Patches tab, we list two types of patches: 
1) Qualys Patchable 

2) AcquireFromVendor 

Qualys Patchable 


Qualys Patchable are the patches that can be installed using Patch Management. Most of 
the patches listed on the Patches tab are Qualys Patchable. 


AcquireFromVendor 


We have certain patches which are listed under Patches tab but cannot be installed using 
Patch Management. These patch are marked as “AcquireFromVendor” which means you 
need to manually download the patch from vendor website and install them on the host. 
See Downloading Patches from the Vendor Site. 


Patches which are not marked as “AcquireFromVendor’ are defined as “Qualys Patchable” 
which mean they can be added to a patch Job. 


Patch Management DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


Patch Catalog ieee 


Q 
29.3K 1-50 of 29284 
Total Patches 
a as Node.JS 10.15.3 (LTS Up.. © x86  NOJSLU-007 Application 371533 None 0 0 Z 
we ee Published on Mar 06, 2019 QNODEJSLU1 0153 
45 more 
Office 365 Monthly Chann... © X64,X.  MSNS19-0304-0365 Application 110325 None 0 0 
VENDOR Published on Mar 05, 2019 KB1132820146 Te 
ae purs Blue Jeans 2.11.249.0 O X64,X.  JEANS-014 Application — None 0 0 
Published on Mar 05, 2019 QBJN2112490 
Google 465 
Mozilla Foundaii... 286 March 5, 2019, update for... 0) X86 MSNS19-03-4461626 Application = 0 0 
Opera Software A... 284 Published on Mar 05, 2019 KB4461626 
45 more 
March 5, 2019, update for... o X86 MSNS19-03-4461439 Application _ 0 0 
UPDATE TYPE Published on Mar 05, 2019 KB4461439 
Security Patches 17.7K March 5, 2019, update for... © X64 MSNS19-03-4461439 Application  — 0 0 
Non-Security Pat...  10.8K Published on Mar 05, 2019 KB4461439 
Security Tools 516 = 


Default or custom assessment profile scans the assets for missing and installed patches at 
regular intervals. This information is then displayed on the Patches tab in the form of 
missing or installed patches. 


17 


Reviewing Missing and Installed Windows Patches 


Note that patches are linked to QIDs using CVE IDs. The QID for a patch is not shown if the 
QID is not linked to a CVE ID. CVE ID is the common point of linking and required to link 
the patch with the QID. 


Patch Management * 


Patch Catalog 


15 


Total Patches 


PATCH STATUS 


Missing 


APP FAMILY 


Windows 


VENDOR 


Microsoft 


Notepad++ 


UPDATE TYPE 
Security Patches 
Non-Security Pat... 
Security Tools 


Actions (0) v 


PATCH TITLE 


The Microsoft Windows ... 
Published on Feb 12, 2019 


Security Update for Adob... 


Published on Feb 12, 2019 


Servicing stack update fo... 


Published on Feb 12, 2019 


Notepad++ 7.6.3 
Published on Jan 28, 2019 


DASHBOARD PATCHES 


ARCHIT 


X64 


KB4100347: Intel microco... 


Published on Jan 08, 2019 


Security update for Adobe... 


Published on Jan 08, 2019 


ASSETS JOBS 


BULLETIN / KB 


MSRT19-02 
KB890830 


MS19-02-AFP-4487038 
KB4487038 


MS19-02-SSU-4485449 
KB4485449 


NPPP-088 
QNPPP763 


MSNS19-01-4100347_V4 


KB4100347 


MS19-01-AFP-4480979 
KB4480979 


CONFIGURATION 


X agentId: "47a9921f-c0e2-4663-9c31-a109dfaf2bf8" and patchStatus: "Missing" 


1-15 of 15 


VENDOR SEVERITY 


371320 


17 more... 


91482 


Application 


371320 


15 more.. 


MISSING 


PATCH STATUS 
INSTALLED 


1 


0 


Alternatively, you can go to the Assets tab to view missing and installed patches on 


particular assets. 


Patch Management 7” 


Assets 


4 


Total Assets 


OS FAMILIES 


Microsoft Windo... 
Microsoft Windo... 
Microsoft Windo... 


STATUS 


Scanned 


Pending 


DASHBOARD PATCHES 


ASSETS JOBS 


CONFIGURATION 


Q Search for assets... 


Actions (0) v 


STATUS ASSET NAME 


0S 


LAST USER MISSING 


Pending 
Apr 15, 2019 


May 16, 2019 


May 16, 2019 


FIMTEST111333 
10.115.78.231 


WIN12R2-97-150 
10.115.97.150 


WIN7PATCH69-85 


fe80:0:0:0:4912:2c20:9e... 


Microsoft Windows 10 Pro 10.... 


Microsoft Windows Server 201... 


Microsoft Windows 7 Professi... 


.\Administrat... 


Administrator 


.\Administrat... 


0 


WIN12R2-97-149 


May 16, 2019 


10.115.97.149 
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Microsoft Windows Server 201... 


Administrator 


PATCHES 
INSTALLED 


0 


TAGS 


|| Cloud Agent 


|| Cloud Agent 


|| Cloud Agent 


|| Cloud Agent 


Reviewing Missing and Installed Windows Patches 
Downloading Patches from the Vendor Site 


Downloading Patches from the Vendor Site 


The Patches tab show a key icon for patches that can not be downloaded via the Qualys 
Cloud Security Agent. This “key” shaped icon indicates that the patch must be acquired 
from the vendor. 


Visual Studio 2019 ver... 
ESC On Mar 31, 2020 


Falcon Sensor for Win... 
Published on Mar 31, 2020 


oe ee ee | 


If you try to add such a patch to a patch job, then the system will show a message 
informing you that these patches will be not be added to said job as they are no longer 
supported for download via the Cloud Agent. 


For such patches, the patch details page displays the Download Method as 
“AcquireFromVendor’ and known patch URL in the Patch Information section. Use the 
URL to download the patch. 


Download methods for patch are: 

- Automatic - Patch downloadable using the Cloud Agent (Qualys Patchable: Yes) 

- AcquireFromVendor - Patch must be acquired from the vendor and installed manually 
(Qualys Patchable: No) 


- Unavailable - Patch download information is not available (Qualys Patchable: No) 


View Details: Java Development Kit 8 Update 212 


VIEW MODE Security Patch Summary 


Last known information for this patch. 


Basic Information 


Affected Applications Java Development Kit 8 Update 212 
Superseded by Patches Vendor: Sun Microsystems 
Published on Apr 16, 2019 
Supersedes 
Resolved QIDs 
Identification Additional Information 
Vendor: Sun Microsystems There are 1 total affected applications 
Bulletin ID: JDK8-212 It's superseded by 0 patches 
KB: QJDK8U212 This patch superseded 7 other patches 
Patch Type: Non-Security Patches This patch resolved 13 different QIDs 
Publish Date: Apr 16, 2019 


Modified Date: Apr 19, 2019 


Patch Information 


Qualys Patchable: No 


Download Method: AcquireFromVendor 


URLs: All Languages - https://download.oracle.co... 
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Deploying Patches Jobs on Windows Assets 
User Scenario: Deploying security patch jobs for Microsoft 


Deploying Patches Jobs on Windows Assets 


You can create a deployment job to install missing patches on assets. You have three 
options to create the deployment job from the following tabs: 


1) Jobs 

2) Assets 

3) Patches 

Refer to the Managing Patch Jobs for Windows Assets topic in the online help. 


You can check the workflow to deploy jobs on Windows assets. 


Scan for (Optional) 
missing and Eò Create 

installed Assessment 
Profiles 


Select 
Select Patches or 


Configure a Setup 
Job Reboot 


sri create Schedule options 


Query 


patches 


User Scenario: Deploying security patch jobs for Microsoft 


Microsoft releases crucial security patches on a regular basis. To automate the job 


deployment for these patches, you can create a job to run on the 2nd Tuesday of every 
month. 


To automate the patch installation, create a monthly recurring deployment job with the 
following parameters: 


1. Navigate to Jobs > Windows > Create Job, and click Deployment Job. 


DASHBOARD PATCHES ASSETS JOBS 


CONFIGURATION 


Windows 


Q 


Deployment Job 


Uninstall Job 


1 On-demand 200 


Created by quays_pg32 on Mar 0... 


2. Enter the job title as Microsoft Security Patches and click Next. 
3. Select assets or asset tags on which you want to apply the patches. 


4. (Optional) Select Add Exclusion Asset Tags to exclude the assets from the deployment 
job that have All/Any of the selected asset tags. 
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Deploying Patches Jobs on Windows Assets 
User Scenario: Deploying security patch jobs for Microsoft 


5. To select patches to apply to the assets, choose the Select Patch option, and then click 
the Take me to patch selector link to select patches. 


6. On the Patch Selector page, in the search query, enter appfamily:windows and 
isSecurity: True and select the patches from the search results. 


List: Patch Selector | Close | 


= :Microsoft and isSecurity:True 


Z Within Scope All Add to Job (2) 1-2of 2 
Total Patches a | Wittin scope | 


D Mouse an... Mar02,2021 © X86  MMKC-210302 QMKC13250 - BB None 
SUPERSEDED = 
false 2 A Mouse an... Mar 02,2021 © X64  MMKC-210302 QMKC13250 Security Patch... - Ø None 
APP FAMILY 
Microsoft Mouse... 2 
VENDOR 
Microsoft 2 


Note: You can add maximum 2000 patches to a single job. 

7. Click Add to Job and then click Close. 

8. On the Select Patches page, click Next. 

9. On the Schedule Deployment page, click Schedule. 

10. Select the start date and time, and select the Recurring Job. 


11. Set Repeats as Monthly, select day of a week, and 2nd Tuesday of the month at 9:00 
PM. 


Schedule Deployment 


Schedule the deployment job to run on demand or in the future. 


Schedule Schedule: Schedule the deployment job to run at a set time. 
START DATE START TIME 
04/22/2021 EJ Recurring Job 
REPEATS * 
Monthly 
ON * 
date of the month @ day of the week 
RECURRENCE DAY * WEEKDAY * START TIME 
2nd Tuesday of the month at 9:00 pm 


12. (Optional) Set the Patching window if you want to restrict the agent to start the job 
within the specified patch window (e.g., start time + 6 hours). The job gets timed out if it 
does not start within this window. 
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Deploying Patches Jobs on Windows Assets 
User Scenario: Deploying security patch jobs for Microsoft 


13. Based on your preference, configure how to notify the users about the patch 
deployment. Configure the pre-deployment messages, deferring the patch deployment 
certain number of times. 


< Create: Deployment Job 


STEPS 5/7 


Deployment and Reboot Communication Options 


Define user (recipient) patch deployment communication and reboot warning messages to 
Select Assets encourage and educate user about patch installment and the reboot cycle. 


Basic Information 


Select Patches 


Deployment messages 


Schedule 


Options Pre-Deployment 
Display message to users before patch deployment starts. 
6 Job Access (If no user is logged in, deployment process starts per job schedule) 


Confirmati i 
7 Confirmation Deployment in Progress 


Display message to users while patch Deployment is in progress. 


Deployment Complete 


Display message to users when patch Deployment is complete. 
(If reboot is required, Reboot Request message will be displayed instead) 


< Create: Deployment Job 


STEPS 5/7 


Reboot messages 
Basic Information 
Suppress Reboot 
Select Assets ; | . 
Asset reboot is suppressed and users are not prompted for reboot post patch installation. 
Select Patches 


Reboot Request 


Schedule Show a message to users indicating that a reboot is required. 
(If no user is logged in, the reboot will start immediately after patch deployment) 


Options 
Reboot Countdown 


Show countdown message to users after deferment limit is reached. 


6 Job Access 


7 Confirmation 


Additional Job Settings 


Enable opportunistic patch download Cia 


The agent attempts to download patches before a scheduled job runs. 


Minimize job progress window qa 


Allow end-users to minimize message windows. 


14. Finally based on the permissions assigned to other users, choose Co-Authors who can 
edit this Job. 
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Deploying Patches Jobs on Windows Assets 
User Scenario: Deploying security patch jobs for Microsoft 


<— Create: Deployment Job 


STEPS 6/7 


Basic Information 
Select Assets 
Select Patches 
Schedule 

Options 

Job Access 


7 Confirmation 


Job Access 


Select the Co-Author users who can edit this job. 
Add these users (1) as Co-Authors to this job 


FIRST NAME LAST NAME USERNAME EMAIL 


Bruce Wayne gtham_bw 


15. Next, review the configuration. 


Add Users 


Remove All 


© 


Job can either be created in ENABLED state by using the Save & Enable option or in 
DISABLED state by using the default Save button. 


<— Create: Deployment Job 


STEPS 7/7 


Basic Information 
Select Assets 
Select Patches 
Schedule 
Options 

Job Access 


Confirmation 


Additional Job Settings Edit 


Enable opportunistic patch download: 


Minimize job progress window: 


Selected Users Edit 


Co-Author users (1) who can edit this job. 
FIRST NAME LAST NAME USERNAME 


> 


Save & Enable 
Save 


EMAIL 


Note: The Patch Manager user can change the job status (enable/disable), delete and edit 


the job. 
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Deploying Patches Jobs on Windows Assets 
User Scenario: Deploying security patch jobs for Microsoft 
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Using QQL to Automate Patch Selection for Windows Jobs 
User scenario: Installing critical patches for Chrome and Internet Explorer 


Using QQL to Automate Patch Selection for 
Windows Jobs 


You can use Qualys Query Language (QQL) to provide the criteria that associates selective 
patches to a deployment job. QQL ensures that all the latest patches that qualify based on 
the criteria are automatically associated to a job without a manual intervention. This 
saves time and ensures that the critical patch updates are installed regularly. 


Although, you can use QQL for a run-once job, QQL is optimally utilized for recurring jobs. 


QQL is available only for the deployment jobs and not for the uninstall jobs. Since 
uninstall patch jobs are executed for selective patches and rarely used, the QQL option is 
not provided for the uninstall job. 


User scenario: Installing critical patches for Chrome and Internet 
Explorer 


To ensure that the browsers receive the critical updates, you can create a daily recurring 
job to ensure critical patches are deployed. 


1. Navigate to Jobs > Windows > Create Job, and click Deployment Job. 


DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


Deployment Job 


Uninstall Job 


1 On-demand 200 


Created by quays_pg32 on Mar 0... 


2. Enter the job title as Browser Security Patches and click Next. 
3. Select assets or asset tags on which you want to apply the patches. 


4. (Optional) Select Add Exclusion Asset Tags to exclude the assets from the deployment 
job that have ALL/ANY of the selected asset tags. 
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Using QQL to Automate Patch Selection for Windows Jobs 
User scenario: Installing critical patches for Chrome and Internet Explorer 


5. To select patches to apply to the assets, choose Create a Query for Patches. Enter 
appFamily:Chrome or appFamily:“Internet Explorer”. 


Select Patches 


Choose the patches you want to install for the selected assets or create a query for the job. 


Select Patches (@) Create a Query for Patches 


appFamily:Chrome OR appFamily: “Internet Explorer” 


Note: For optimum performance, only missing and non-superseded patches that match the QOL criteria will be added to the job. 


6. Create the following job schedule: 
Schedule Deployment 


Schedule the deployment job to run on demand or in the future. 


Schedule Schedule: Schedule the deployment job to run at a set time. 


START DATE START TIME 
04/22/2021 Fi Recurring Job 
REPEATS * START TIME 
Daily 9:00 pm 


7. (Optional) Set the Patching window if you want to restrict the agent to start the job 
within the specified patch window (e.g., start time + 6 hours). The job will time out if it 
does not start within this window. 


8. Based on your preference, configure how to notify the users about the patch 
deployment. Configure the pre-deployment messages, deferring the patch deployment 
certain number of times. 


<— Create: Deployment Job (2) 


a 


STEPS 5/7 


Reboot messages 


Basic Information 
Suppress Reboot 
Select Assets | x : 
Asset reboot is suppressed and users are not prompted for reboot post patch installation. 
Select Patches 
Reboot Request 
Schedule Show a message to users indicating that a reboot is required. 
(If no user is logged in, the reboot will start immediately after patch deployment) 
Options 
Reboot Countdown 
Show countdown message to users after deferment limit is reached. 


Additional Job Settings 


Enable opportunistic patch download 
The agent attempts to download patches before a scheduled job runs. 


Minimize job progress window 
Allow end-users to minimize message windows. 
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Using QQL to Automate Patch Selection for Windows Jobs 
User scenario: Installing critical patches for Chrome and Internet Explorer 


9. Finally based on the permissions assigned to other users, choose Co-Authors who can 


edit this job. 


<— Create: Deployment Job 


STEPS 6/7 
Job Access 


Basic Information Select the Co-Author users who can edit this job. 


Select Assets 
Add these users (1) as Co-Authors to this job 


Select Patches 


Schedule FIRST NAME LAST NAME USERNAME EMAIL 
Options Bruce Wayne gtham_bw 
Job Access 


7 Confirmation 


10. Next, review the configuration. 


Add Users 


Remove All 


© 


Job can either be created in ENABLED state by using the Save & Enable option or in 


DISABLED state by using the default Save button. 


<— Create: Deployment Job 


STEPS 7/7 = , 
Additional Job Settings Edit 
Basic Information Enable opportunistic patch download: Yes 
Select Assets Minimize job progress window: Yes 
Select Patches 
Schedule 
Options 
FREE Selected Users Edit 
Confirmation Co-Author users (1) who can edit this job. 


Save & Enable 
Save 


HRST NAME LAST NAME USERNAME EMAIL 


Note: The Patch Manager super user can change the job status (enable/disable), delete 


and edit the job. 


Uninstalling Patches from Windows Assets 
User Scenario: Uninstalling an older version of Internet Explorer browser 


Uninstalling Patches from Windows Assets 


You can create a patch uninstall job to uninstall patches from Windows assets. Uninstall 
job is rare and should be used with caution because it can uninstall patches that you 
might not have wanted to uninstall. We recommend that you use the run-once option for 
the uninstall Windows job. We don’t uninstall software applications by default, however if 
a patch is uninstalled, sometimes the software application might get uninstalled. Be 
extremely precise while selecting the patches that you want to uninstall. 


User Scenario: Uninstalling an older version of Internet Explorer 
browser 


Using an older version of the web browser can cause security issues. You can uninstall an 
older version of Internet Explorer browser that might have released before 2016. 


1. Navigate to Jobs > Windows > Create Job, and click Uninstall Job. 


DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


ee SP Filters v 


Deployment Job 


1 On-demand 200 


Created by quays_pg32 on Mar 0... 


2. Provide a job title, and then select assets or asset tags from which you want to uninstall 
the patches from. 


<— Create: Uninstall Job (2) 


STEPS 2/7 


Select Assets 


p . Select the assets on which you want to uninstall the patches. 
Basic Information 
Include the following assets. 


Select Assets 
Select Patches 


4 Schedule 
Take me to asset selector 
Options 
Job Access 


Include hosts that have Any # of the tags below. Select Tags 


Confirmation 


| Business Units x 


Add Exclusion Asset Tags 


Cancel | | Previous 
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Uninstalling Patches from Windows Assets 
User Scenario: Uninstalling an older version of Internet Explorer browser 


3. Select patches to uninstall from the assets. Use the patch selector link to select patches. 


4. On the Uninstallable Patches page, in the search query, enter appfamily: Internet 
Explorer and publishedDate: [2015-12-31]. 


List: Uninstallable Patches 


>< appFamily: Internet Explorer and publishedDate: [2015-12-31] 
12.7K 
| Within Scope All Add to Job 1-50 of 12672 >| 
Total Patches L [within Scope | ù 


PATCH TITLE PUBLISHED DATE ARCHIT BULLETIN KB CATEGORY QID VENDOR SEVERITY CVE 


a KB460127... Apr 13, 2021 © X64 MSNS21-04-46... KB4601275  Non-SecurityP… - W None 
SUPERSEDED 
true 7.34K KB500140... Apr 13, 2021 © X86 MS21-04-SSU-... KB5001403 Security Patch.. 91653 BB critical 
false 5.33K 


ain = 


Note: You can add maximum 2000 patches to a single job. 


< Create: Uninstall Job 


STEPS 3/7 


Select Patches 


From the available list of patches, choose the patches you want to uninstall on the selected 
Select Assets assets. 


Basic Information 


Select Patches 
Available Patches 
4 Schedule 


5 Options Selected Patches (4) Remove All 


6 Job Access 
DST changes in Windows for Chile (KB4486459) (x) 


7 Confirmation 


Preview of Monthly Rollup for Windows 7 and Windows Server 2008 R2: February 19, 2019 (KB4486565) © 


Description of the update for Windows Server 2008 SP2: February 19, 2019 (KB4490514) (x) 


Description of the update for Windows 8.1 and Windows Server 2012 R2: February 19, 2019 (KB4490512) @ 


7. Click Add to Job and then click Close. 
8. On the Select Patches page, click Next. 


9. On the Schedule Deployment page, click On Demand. 
Schedule Deployment 
Schedule the deployment job to run on demand or in the future. 
Schedule Schedule: Schedule the deployment job to run at a set time. 


START DATE START TIME 
04/22/2021 | 3:41 pn © Recurring Job 


REPEATS * 


Monthly v 


ON * 
_) date of the month @ day of the week 


RECURRENCE DAY * WEEKDAY * START TIME 


2nd 7 = Tuesday y of the month at 9:00 pm C } | 
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Uninstalling Patches from Windows Assets 
User Scenario: Uninstalling an older version of Internet Explorer browser 


10. Based on your preference, configure how to notify the users about the patch 
deployment. Configure the pre-deployment messages, deferring the patch deployment 
certain number of times. 


< Create: Uninstall Job 


STEPS 5/7 


Patch uninstallation and Reboot Communication Options 


Define user (recipient) patch uninstall communication and reboot warning messages to 
Select Assets encourage and educate user about patch uninstallation and the reboot cycle. 


Basic Information 


Select Patches 


Patch uninstall messages 


Schedule 


Pre-Uninstallation 


Display message to users before patch uninstallation starts. 
6 Job Access (If no user is logged in, uninstallation process starts per job schedule) 


Options 


7 Confirmation Uninstallation in Progress 
Display message to users while patch Uninstallation is in progress. 


Uninstall Complete 
Display message to users when patch Uninstallation is complete. 
(If reboot is required, Reboot Request message will be displayed instead) 


11. Finally, you can prompt the user or choose suppress reboot when asset reboot is 
required post patch installation. 


< Create: Uninstall Job 


Uninstall Complete aqa 


Display message to users when patch Uninstallation is complete. 


STEPS 5/7 


Basic Information 


Select Assets 


Select Patches 
Schedule Reboot messages 
Options Suppress Reboot 


Asset reboot is suppressed and users are not prompted for reboot post patch uninstallation. 
6 Job Access 


Reboot Request 


Show a message to users indicating that a reboot is required. 
(If no user is logged in, the reboot will start immediately after patch uninstallation) 


7 Confirmation 


Reboot Countdown 
Show countdown message to users after deferment limit is reached. 


Additional Job Settings 


Minimize job progress window @ OFF 


Allow end-users to minimize message windows. 


| Cancel || Previous Next 
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Uninstalling Patches from Windows Assets 
User Scenario: Uninstalling an older version of Internet Explorer browser 


12. Finally based on the permissions assigned to other users, choose Co-Authors who can 
edit this Job. 


€ Create: Uninstall Job [?) 
STEPS 6/7 
Job Access 
Basic Information Select the Co-Author users who can edit this job. 


Select Assets 
Add these users (1) as Co-Authors to this job Add Users 


Select Patches 


Schedule FIRST NAME LAST NAME USERNAME EMAIL Remove All 
Options @qualys.com [x] 
Job Access 


7 Confirmation 


13. Next, review the configuration. Job can either be created in ENABLED state by using the 
Save & Enable option or in DISABLED state by using the default Save button. 


€ Create: Uninstall Job 


STEPS 7/7 w | 
Additional Job Settings Edit 
Basic Information Enable opportunistic patch download: Yes 
Select Assets Minimize job progress window: Yes 
Select Patches 
Schedule 
Options 
DE us Selected Users Edit 
Confirmation Co-Author users (1) who can edit this job. 


Save & Enable 
Save 
v 


You must enable the disabled job in order to run it. To enable a disabled job, simply go to 
the Jobs tab, then from the Quick Actions menu of a job, click Enable. The Save & Enable 
option should be chosen only when you are confident that job is correctly configured, 
because this job will begin executing as soon as you “Save” the job. 


Note that the Patch Manager user can change the job status (enable/disable), delete and 
edit the job. 


Uninstalling Patches from Windows Assets 
User Scenario: Uninstalling an older version of Internet Explorer browser 
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Deploying Patches Jobs on Linux Assets 
User Scenario: Deploying security patches for RHEL assets 


Deploying Patches Jobs on Linux Assets 


You can create a deployment job to install patches on Linux assets. You have three options 
to create the deployment job from the following tabs: 


1) Jobs 

2) Assets 

3) Patches 

Refer to the Managing Patch Jobs for Linux Assets topic in the online help. 


User Scenario: Deploying security patches for RHEL assets 


RedHat releases security patches on a frequent basis. To automate the patch installation, 
create a deployment job with the folowing parameters: 
1. Navigate to Jobs > Linux > Create Job. 


DASHBOARD PATCHES ASSETS | JOBS | CONFIGURATION 20 


K4 


Windows 


Q 


2. Enter the job title as RHEL Security Patches and click Next. 
3. Select assets or asset tags on which you want to apply the patches. 


4. (Optional) Select Add Exclusion Asset Tags to exclude the assets from the deployment 
job that have All/Any of the selected asset tags. 


5. To select patches to apply to the assets, choose the Select Patch option and then click 
Take me to patch selector link to select patches. 
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Deploying Patches Jobs on Linux Assets 
User Scenario: Deploying security patches for RHEL assets 


6. On the Patch Selector page, in the search query, enter category: security and select 
the patches. 


List: Patch Selector 


| ÒC category:Security 


2.75K 


1-50 of 2750 > 
Total Patches 

PATCH TITLE PUBLISHED DATE ARCHIT ADVISORY ID CATEGORY QID VENDOR SEVERITY 

RHSA-2021:1071: ... Apr 08, 2021 oO xX86_64,... RHSA-2021:1071 Security 239208 a Important CVE-2021-27363 i 
Os 2 more 
RHEL6 1.53K ; è ; 

RHSA-2021:1135: ... Apr 08, 2021 = x86_64,... RHSA-2021:1135 Security 239207 68 Important CVE-2020-25097 
RHEL7 1.22K 

RHSA-2021:1145:. Apr 08, 2021 = x86_64,... RHSA-2021:1145 Security 239207 Important CVE-2021-20305 
VENDOR SEVERITY 5 
Important 1.17K 

RHSA-2021:1072: l... Apr 06, 2021 = X86_64,. RHSA-2021:1072 Security 239207 B Important CVE-2021-20277 


Moderate 909 


Note: You can add maximum 2000 patches to a single job. 
7. Click Add to Job and then click Close. 
8. On the Select Patches page, click Next. 


Select Patches 


From the available list of patches, choose patches you want to install on the selected assets in this job. 


Selected Patches (2) 
PATCH TITLE ARCHIT ADVISORY ID PACKAGES Remove All 
RHSA-2021:1071: kernel security and bug fix update x86_64noarc.. RHSA-2021:1071 10 (x) 
RHSA-2021:1135: squid security update x86_64,noarc... RHSA-2021:1135 ] (X) 


9. On the Schedule Deployment page, click Schedule. 


10. Select the start date and time, and select Recurring Job. 
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Deploying Patches Jobs on Linux Assets 
User Scenario: Deploying security patches for RHEL assets 


11. Set Repeats as Monthly, select day of a week, and 1st Monday of the month at 9:00 PM. 
Schedule Deployment 


Schedule the deployment job to run on demand or in the future. 


Schedule Schedule: Schedule the deployment job to run at a set time. 


START DATE START TIME 
04/22/2021 Recurring Job 

REPEATS * 
Monthly 

ON * 

date of the month @ day of the week 

RECURRENCE DAY * WEEKDAY * START TIME 

2nd Tuesday of the month at 9:00 pm 


12. (Optional) Set the Patching window if you want to restrict the agent to complete the job 
within the specified patch window (e.g., start time + 6 hours). The job will timed out if it 


does not complete within this window. 


13. Based on your preference, configure reboot communication options. Enable the 
Continue patching even after a package failure occurs for a patch option so that if one of 
the package in the patch fails to install, other packages are installed successfully. 


Reboot Communication Options 


Define user (recipient) patch deployment communication and reboot warning messages to encourage and educate the user about patch 
installment and the reboot cycle. 


Reboot messages 
Suppress Reboot CD) 


Asset reboot is suppressed and users are not prompted for reboot post patch installation. 


Additional Job Settings 


Continue patching even after a package fails to install for a patch 
Enabling this setting ensures that if one of the packages for the patch fails to install, installation of other packages is 
attempted. 


Cancel Previous 
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Deploying Patches Jobs on Linux Assets 
User Scenario: Deploying security patches for RHEL assets 


14. Finally based on the permissions assigned to other users, choose Co-Authors who can 
edit this Job. 


<— Create: Deployment Job B 
STEPS 6/7 
Job Access 
Basic Information Select the Co-Author users who can edit this job. 


Select Assets 
Add these users (1) as Co-Authors to this job 


Select Patches 


Schedule FIRST NAME LAST NAME JSERNAME EMAIL Remove All 
Options Bruce Wayne gtham_bw Q 
Job Access 

Confirmation 


15. Next, review the configuration. 


Job can either be created in ENABLED state by using the Save & Enable option or in 
DISABLED state by using the default Save button. 


Note: The Patch Manager super user can change the job status (enable/disable), delete 
and edit the job. 
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Reviewing Job Results 


Reviewing Job Results 


Once the deployment or uninstall job is created, it runs immediately (OnDemand) or at 
the specified schedule. You can view the results of a job run, whether all patches were 
successfully installed or uninstalled or if there were failures. 


To view the job results, go to Jobs, then from the Quick Actions menu of a job, click View 
Progress. You can see the assets on which the patch deployment or uninstall job was run, 
and the results in the Progress column. 


On this screen, we also show you the assets that are not licensed in Patch Management. 
We skip job execution for these assets. 


<€ Job Progress : Job to Patch Microsoft Windows 


| 


Total Asset 


STATUS Completed 


On Dec 1, 2020 04:24 pm 
Completed 1 


Last agent checked-in on Dec 4, 


WIN2012R2 Nov 30, 20 asg Microsoft Windows Server 2012 R2 Standard 6.3.9600 64-bit... Administrator () 0 2 


We also show the following patch count for Windows jobs: 


- INSTALLED: Number of patches that were successfully deployed on the agent in the 
latest job run. 


- FAILED: Number of patches that failed to install due to some errors on the agent in the 
latest job run. 


- SKIPPED: Number of patches that were skipped in latest job run. 


A few patches might be skipped because the patches are not applicable for the asset, 
superseded by another patch, or are already installed. 


Note: The error logs for failed patches of Linux patch jobs are stored only for 14 days. 


Job activities corresponding to the reboot messages and notifications displayed on the 
asset, are logged at the following location: 


YUSERPROFILE%\AppData\Local\Qualys\QualysAgent\QAgentUiLog.txt 
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Reviewing Job Results 


Exporting Patch Data for Windows Assets 
How to Export Patch Data? 


Exporting Patch Data for Windows Assets 


You can export detailed patch data for Windows assets from the Patches and Assets tabs. 
You can download job progress details from the Job Progress option on the Jobs tab. 


You can also view the list of reports generated and their statuses. Exporting the patch data 
allows to import the data to a preferred analytic tool, such as Tableau. For example, you 
can analyze the data and calculate compliance ratio to make sound decisions or you can 
use the patch data to identify patches that were missed based on the severity of the 
critical assets. 


You can now overlay the patch data with other business data to set a new context for 
analysis. Exporting allows you to integrate data from different systems and view it on a 
single pane of glass. The reports are available to download for 7 days. 


How to Export Patch Data? 
To export patch data, go to the Patches or Assets tab and click Download: 


DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 20ùx 
—— 


Windows 


Patch v'QA = 
| View Supported Products ? Filters v 1-50 of 336 C 

Notepad++ 7.9.5 Mar 23, 202 © xs NPPP-210323 Security Patch.. 372120 None 2 0 
QNPPP795 

Notepad++ 7.9.5 Mar 23, 202 © X64 NPPP-210323 Security Patch... 372120 None 1 0 
QNPPP795 

Firefox 87.0 Mar 23, 202 © x64  FF-210323 Security Patch.. 370341 1 0 
QFF870 57 more 

KB5001640: March 9, 2021 update causes Windows 8.1 and Server 2012 R2 to not print graphical cont. Mar 22, 202 ®© xea MSNS21-03-W81-... Non-Security P... - None 1 0 
KB5001640 

Security Monthly Rollup for Windows 8.1 and Server 2012 R2: March 9, 2021 (KB5000848) Mar 09, 202 © x64  MS21-03-MR81-5. Non-SecurityP.. 91413 1 
KB5000848 231 more 

Remove specific prevalent malware with Windows Malicious Software Removal Tool Mar 09, 202 © x64 MSRT21-03 Security Tools 91606 one 2 0 
KB890830 ) 

March 9, 2021-KB5000853 (Security-only update) Mar09,2021 Č x64  MS21-03S081-50. Security Patch.. 91754 1 0 
KB5000853 2 more 


The Report Download Request Status page lists all the reports that are ready to download 
or are being generated. Once the reports are generated, click to download the report and 
then simply unzip the file to view the data. 


<— Report Download Request Status 


® The report is available to download for 7 days after which it will expire. 


Ready M )21 1 33.09KB PATCH patchStatus:[Missing] and isSuperseded:false EA 
Ready M 021 1 33.19KB PATCH patchStatus:[Missing] and ded:fal + 
Ready M 1 756.88 KB PATCH + 
Ready Mar 25, 2021 Apr 01, 2021 240.00 PATCH patchStatus:[Missing] and isSuperseded:false AND name:abcd or abcd he 
Ready M 1 481 JOB_PROGRESS bid 4-fc2a-4 d-ed2t + 
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Exporting Patch Data for Windows Assets 
How to Export Patch Data? 


You can also export the data from the Job Progress tab. To download the individual job 
details. Go to Jobs > Quick Actions > View Progress > Download. 


Q 


1-2of 2 [=] 


Pending DESKTOP-IV... Mar 30, 20... H Microsoft Windows 1... .\Administrat... - - - 
From Mar 30, 2021 04:49 pm 


Last agent checked-in on Mar 2, ... 


Pending Rest-Assure... 
From Mar 30, 2021 04:43 pm 


Last agent checked-in on Feb 24, ... 


Windows Microsoft ... - = = = 
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URLS to be Whitelisted For Patch Download 


URLS to be Whitelisted For Patch Download 


This section provides a list of URLs that you must whitelist for the Cloud Agent to 
successfully download patches on your assets. 


These URLs must be allowed access through firewalls or other content blocking methods 
to properly retrieve patches from the patch vendors. The Qualys Cloud Agent must get 
access to these URLs to successfully download patches. If you are using a Qualys Gateway 
Service (QGS) proxy, ensure that it has access to the URLs as well so that it can download 
and cache the patches. 


NOTE: To obtain the IP Address for vendor sites you can ping the vendor site or contact the 
vendor to obtain this information. We are unable to provide a list of IP addresses due to 
the varied dynamic IP addresses being used by the vendors. 


It may be easier to create an exception for an entire domain rather than entering all 
specific URLs. You can usually do so by entering the exception in this format: 


x domain.com 


List of URLs to be whitelisted 
ftp://ftp.attglobal.net 


http://34e34375d0b7c22eafcf-c0a4be9b34fe09958cbea1670de70e9b.r87.cf1.rackcdn.com 
http://airdownload.adobe.com 
http://appldnid.apple.com 
http://appldnid.apple.com.edgesuite.net 
http://ardownload.adobe.com 
http://au.v4.download.windowsupdate.com 
http://b1.download.windowsupdate.com 
http://cache-download.real.com 
http://cache.lumension.com 
http://ccmdl.adobe.com 
http://cdn01.foxitsoftware.com 
http://cdn02.foxitsoftware.com 
http://cdn03.foxitsoftware.com 
http://cdn06.foxitsoftware.com 
http://cdn09.foxitsoftware.com 
http://cdn1.evernote.com 


http://citrixreceiver491000.html 
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http://citrixreceiver492000.html 
http://citrixreceiver493000.html 
http://content.ivanti.com 
http://dl.delivery.mp.microsoft.com 
http://dl.google.com 
http://d13.xmind.net 
http://download-ongin.cdn.mozilla.net 
http://download.adobe.com 
http://download.autodesk.com 
http://download.betanews.com 
http://download.ccleaner.com 
http://download.cdburnerxp.se 
http://download.gimp.org 
http://download.macromedia.com 
http://download.microsoft.com 
http://download.notepad-plus-plus.org 
http://download.oldfoss.com 
http://download.pdfforge.org 
http://download.piriform.com 
http://download.royalapplications.com 
http://download.teamviewer.com 
http://download.techsmith.com 
http://download.videolan.org 
http://download.virtualbox.org 
http://download.windowsupdate.com 
http://download.winzip.com 
http://download2.operacdn.com 
http://download3.operacdn.com 
http://download3.vmware.com 
http://download3.xnview.com 


http://download4.operacdn.com 
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URLs to be Whitelisted For Patch Download 


http://downloadarchive.documentfoundation.org 
http://downloads.hpe.com 
http://downloads.pdf-xchange.com 
http://downloads.sourceforge.net 
http://dwnld.windvdpro.com 
http://files2.zimbra.com 
http://fpdownload.macromedia.com 
http://ftp.adobe.com 
http://ftp.gimp.org 
http://ftp.opera.com 
http://ftp.osuosl.org 
http://get.geo.opera.com 
http://gigenet.dl.osdn.jp 
http://install.nitropdf.com 
http://jaist.dl.sourceforge.net 
http://javadl.oracle.com 
http://javadl.sun.com 
http://jsimlo.sk 
http://knowledge.autodesk.com 
http://osdn.dl.osdn.jp 
http://pspad.poradna.net 
http://pumath.dl.osdn.jp 
http://releases.mozilla.org 
http://silverlight.dlservice.microsoft.com 
http://sourceforge.net 
http://support.citrix.com 
http://support1.uvne.com 
http://updates-http.cdn-apple.com 
http://www.7-zip.org 
http://www.aimp.ru 


http://www.coreftp.com 
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URLs to be Whitelisted For Patch Download 


http://www.download.windowsupdate.com 
http://www.fosshub.com 
http://www.getpaint.net 
http://www.goodsync.com 
http://www.jam-software.com 
http://www.rarlab.com 
http://www.tightvne.com 
http://www.uvnc.com 
http://www.wireshark.org 
http://zoom.us 
https://2.na.dl.wireshark.org 
https://aimp.su 
https://airdownload.adobe.com 
https://allwaysync.com 
https://app.ringcentral.com 
https://archive.apache.org 
https://archive.mozilla.org 
https://ardownload2.adobe.com 
https://assets.cdngetgo.com 
https://astuteinternet.dl.sourceforge.net 
https://atlassian.jfrog.io 
https://ayera.dl.sourceforge.net 
https://az764295.vo.msecnd.net 
https://binaries.webex.com 
https://builds.cdn.getgo.com 
https://cdn.azul.com 
https://cdn.gomlab.com 
https://cdn01.foxitsoftware.com 
https://cdn1.evernote.com 
https://cfhcable.dl.sourceforge.net 
https://clientupdates.dropboxstatic.com 
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URLs to be Whitelisted For Patch Download 


https://content.ivanti.com 
https://corretto.aws 
https://cran.r-project.org 
https://d11yldzmag5yn.cloudfront.net 
https://d3pxv6yz143wms.cloudfront.net 
https://data-cdn.mbamupdates.com 
https://desktopassets.prezi.com 
https://dl.bandicam.com/bandicut 
https://dl.google.com 
https://dl.teamviewer.com 
https://dl.tvcdn.de 
https://dl1.cdn.filezilla-project.org 
https://d13.cdn.filezilla-project.org 
https://dl3.xmind.net 
https://download-installer.cdn.mozilla.net 
https://download.adobe.com 
https://download.ccleaner.com 
https://download.cdburnerxp.se 
https://download.filezilla-project.org 
https://download.gimp.org 
https://download.microsoft.com 
https://download.oracle.com 
https://download.gsrinternational.com 
https://download.royalapplications.com 
https://download.skype.com 
https://download.splunk.com 
https://download.sublimetext.com 
https://download.teamviewer.com 
https://download.techsmith.com 
https://download.tortoisegit.org 
https://download.videolan.org 
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https://download.virtualbox.org 
https://download.visualstudio.microsoft.com 
https://download.winzip.com 
https://download.xnview.com 
https://download1.operacdn.com 
https://download3.xnview.com 
https://downloadplugins.citrix.com 
https://downloads.hpe.com 
https://downloads.jam-software.de 
https://downloads.pdf-xchange.com 
https://downloads.plex.tv 
https://downloads.ringcentral.com 
https://downloads.slack-edge.com 
https://downloads.sourceforge.net 
https://downloads.tableau.com 
https://downloadus2.teamviewer.com 
https://downloadus4.teamviewer.com 
https://e3.boxcdn.net 
https://endpoint920510.azureedge.net 
https://files.zimbra.com 
https://fpdownload.adobe.com 
https://fpdownload.macromedia.com 
https://ftp.opera.com 
https://gensho.ftp.acc.umu.se 
https://gigenet.dl.sourceforge.net 
https://github.com 
https://iweb.dl.sourceforge.net 


URLs to be Whitelisted For Patch Download 


https://jabraxpressonlineprdstor.blob.core.windows.net 


https://knowledge.autodesk.com 
https://launch.getgo.com 


https://managedway.dl.sourceforge.net 
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https://master.dl.sourceforge.net 
https://media.inkscape.org 
https://meetings.webex.com 
https://mirror.clarkson.edu 
https://mirrors.gigenet.com 
https://mirrors.xtom.com 
https://msedge.sf.dl.delivery.mp.microsoft.com 
https://neevia.com 
https://netactuate.dl.sourceforge.net 
https://nmap.org 

https://nodejs.org 
https://notepad-plus-plus.org 
https://osdn.mirror.constant.com 
https://osdn.net 
https://packages.vmware.com 
https://phoenixnap.dl.sourceforge.net 
https://pilotfiber.dl.sourceforge.net 
https://product-downloads.atlassian.com 
https://razaoinfo.dl.sourceforge.net 
https://s3.amazonaws.com/files.zimbra.com 
https://secure-appldnld.apple.com 
https://secure.logmein.com 
https://secure.mozy.com 
https://slack-ssb-updates.global.ssl.fastly.net 
https://sourceforge.net 
https://statics.teams.cdn.office.net 
https://storage.googleapis.com 
https://support.citrix.com 
https://swdl.bluejeans.com 
https://the.earth.li 


https://versaweb.dl.sourceforge.net 
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https://web.mit.edu 
https://www.7-zip.org 
https://www.citrix.com 
https://www.crowdstrike.com 
https://www.fosshub.com 
https://www.goodsync.com 
https://www.irfanview.info 
https://www.jam-software.com 
https://www.mercurial-scm.org 
https://www.morphisec.com 
https://www.oracle.com 
https://www.poly.com 
https://www.rarlab.com 
https://www.realvnc.com 
https://www.scootersoftware.com 
https://www.tightvnc.com 
https://www.tracker-software.com 
https://www.uvnc.com 


https://www.wireshark.org 
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